From a90c921d8fe644c274f4a823c865ee3c9d25b5bc Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sat, 3 Jun 2023 14:52:20 +0200 Subject: [PATCH 1/6] Fix a bug in nc_apache2.j2 template concerning intermed-CA. Remove ansible-lint warnings and add config-variable needed for SSO to nc_apache2.j2 template. Signed-off-by: marioqxx --- roles/install_nextcloud/tasks/tls_signed.yml | 26 ++++++++++--------- .../install_nextcloud/templates/apache2_nc.j2 | 5 ++-- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/roles/install_nextcloud/tasks/tls_signed.yml b/roles/install_nextcloud/tasks/tls_signed.yml index 7c845c09..30e05549 100644 --- a/roles/install_nextcloud/tasks/tls_signed.yml +++ b/roles/install_nextcloud/tasks/tls_signed.yml @@ -12,13 +12,13 @@ nextcloud_tls_chain_file: "{{ nextcloud_tls_chain_file | default(cert_path + nextcloud_instance_name + \".pem\") }}" when: nextcloud_tls_src_chain is defined -- name: "[SIGNED TLS] - Copy certificate to the host" +- name: "[SIGNED TLS] - Copy certificate file for apache2 to the host" ansible.builtin.copy: dest: "{{ nextcloud_tls_cert_file }}" src: "{{ nextcloud_tls_src_cert }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: "0640" + mode: u=rw,g=r,o=- force: true when: - nextcloud_websrv not in ["nginx"] @@ -29,28 +29,30 @@ dest: "{{ nextcloud_tls_cert_file }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: "0640" + mode: u=rw,g=r,o=- vars: input_files: ["{{ nextcloud_tls_src_cert }}", "{{ nextcloud_tls_src_chain }}"] when: - nextcloud_tls_src_chain is defined - nextcloud_websrv in ["nginx"] -- name: "[SIGNED TLS] - Key is copied to the host" +- name: "[SIGNED TLS] - Copy certificate chain file for apache2 to the host" ansible.builtin.copy: - dest: "{{ nextcloud_tls_cert_key_file }}" - src: "{{ nextcloud_tls_src_cert_key }}" + dest: "{{ nextcloud_tls_chain_file }}" + src: "{{ nextcloud_tls_src_chain }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: "0400" + mode: u=rw,g=r,o=- force: false + when: + - nextcloud_tls_src_chain is defined + - nextcloud_websrv not in ["nginx"] -- name: "[SIGNED TLS] - Certificate chain is copied to the host" +- name: "[SIGNED TLS] - Key is copied to the host" ansible.builtin.copy: - dest: "{{ nextcloud_tls_chain_file }}" - src: "{{ nextcloud_tls_src_chain }}" + dest: "{{ nextcloud_tls_cert_key_file }}" + src: "{{ nextcloud_tls_src_cert_key }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: "0640" + mode: u=r,g=-,o=- force: false - when: nextcloud_tls_src_chain is defined diff --git a/roles/install_nextcloud/templates/apache2_nc.j2 b/roles/install_nextcloud/templates/apache2_nc.j2 index 6386bfb0..41a08438 100644 --- a/roles/install_nextcloud/templates/apache2_nc.j2 +++ b/roles/install_nextcloud/templates/apache2_nc.j2 @@ -46,12 +46,13 @@ DocumentRoot {{ nextcloud_webroot }} {% if (nextcloud_max_upload_size_in_bytes|int) <= 2147483647-%} LimitRequestBody {{ nextcloud_max_upload_size_in_bytes }} + LimitRequestFieldsize 32768 {% endif -%} SSLEngine on SSLCertificateFile {{ nextcloud_tls_cert_file }} SSLCertificateKeyFile {{ nextcloud_tls_cert_key_file }} -{% if nextcloud_tls_cert_chain_file is defined %} - SSLCertificateChainFile {{ nextcloud_tls_cert_chain_file }} +{% if nextcloud_tls_chain_file is defined %} + SSLCertificateChainFile {{ nextcloud_tls_chain_file }} {% endif %} # enable HTTP/2, if available From 05f727b0a1716ea8efe6add0de4397add4c7d01a Mon Sep 17 00:00:00 2001 From: marioqxx Date: Sat, 3 Jun 2023 16:20:01 +0200 Subject: [PATCH 2/6] Fix the same inconsistency in tls_insallted.yml Signed-off-by: marioqxx --- roles/install_nextcloud/tasks/tls_installed.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/install_nextcloud/tasks/tls_installed.yml b/roles/install_nextcloud/tasks/tls_installed.yml index 46fd5a78..0df0466c 100644 --- a/roles/install_nextcloud/tasks/tls_installed.yml +++ b/roles/install_nextcloud/tasks/tls_installed.yml @@ -7,7 +7,7 @@ ansible.builtin.set_fact: nextcloud_tls_cert_key_file: "{{ nextcloud_tls_cert_key }}" -- name: "[INSTALLED TLS] - Define certificate chain path" +- name: "[INSTALLED TLS] - Define certificate chain path" ansible.builtin.set_fact: - nextcloud_tls_cert_chain_file: "{{ nextcloud_tls_cert_chain }}" + nextcloud_tls_chain_file: "{{ nextcloud_tls_cert_chain }}" when: nextcloud_tls_cert_chain is defined From 2191666c8040af2fb2686b54b236fc99e03e0b79 Mon Sep 17 00:00:00 2001 From: marioqxx <82337956+marioqxx@users.noreply.github.com> Date: Sun, 25 Jun 2023 12:14:59 +0200 Subject: [PATCH 3/6] Update roles/install_nextcloud/tasks/tls_signed.yml Sure. I chanced to this notiation, because of ansible-lint warnings on my computer. Co-authored-by: wiktor2200 Signed-off-by: marioqxx <82337956+marioqxx@users.noreply.github.com> --- roles/install_nextcloud/tasks/tls_signed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_nextcloud/tasks/tls_signed.yml b/roles/install_nextcloud/tasks/tls_signed.yml index 30e05549..05210efd 100644 --- a/roles/install_nextcloud/tasks/tls_signed.yml +++ b/roles/install_nextcloud/tasks/tls_signed.yml @@ -18,7 +18,7 @@ src: "{{ nextcloud_tls_src_cert }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: u=rw,g=r,o=- + mode: "0640" force: true when: - nextcloud_websrv not in ["nginx"] From 3c90a264c949c0cde9ffa397ad562d50bfa6d6a9 Mon Sep 17 00:00:00 2001 From: marioqxx <82337956+marioqxx@users.noreply.github.com> Date: Sun, 25 Jun 2023 12:15:08 +0200 Subject: [PATCH 4/6] Update roles/install_nextcloud/tasks/tls_signed.yml Co-authored-by: wiktor2200 Signed-off-by: marioqxx <82337956+marioqxx@users.noreply.github.com> --- roles/install_nextcloud/tasks/tls_signed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_nextcloud/tasks/tls_signed.yml b/roles/install_nextcloud/tasks/tls_signed.yml index 05210efd..9e398270 100644 --- a/roles/install_nextcloud/tasks/tls_signed.yml +++ b/roles/install_nextcloud/tasks/tls_signed.yml @@ -29,7 +29,7 @@ dest: "{{ nextcloud_tls_cert_file }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: u=rw,g=r,o=- + mode: "0640" vars: input_files: ["{{ nextcloud_tls_src_cert }}", "{{ nextcloud_tls_src_chain }}"] when: From 0e9a77fd559e68ce966ba060b8509dbc62a325ef Mon Sep 17 00:00:00 2001 From: marioqxx <82337956+marioqxx@users.noreply.github.com> Date: Tue, 27 Jun 2023 22:40:50 +0200 Subject: [PATCH 5/6] Update roles/install_nextcloud/tasks/tls_signed.yml Co-authored-by: wiktor2200 Signed-off-by: marioqxx <82337956+marioqxx@users.noreply.github.com> --- roles/install_nextcloud/tasks/tls_signed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_nextcloud/tasks/tls_signed.yml b/roles/install_nextcloud/tasks/tls_signed.yml index 9e398270..a8ed4eb4 100644 --- a/roles/install_nextcloud/tasks/tls_signed.yml +++ b/roles/install_nextcloud/tasks/tls_signed.yml @@ -54,5 +54,5 @@ src: "{{ nextcloud_tls_src_cert_key }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: u=r,g=-,o=- + mode: 0400 force: false From 2febd3b91ccd0dc0546d7339e5fb1b0bdc1406e2 Mon Sep 17 00:00:00 2001 From: marioqxx <82337956+marioqxx@users.noreply.github.com> Date: Tue, 27 Jun 2023 22:40:58 +0200 Subject: [PATCH 6/6] Update roles/install_nextcloud/tasks/tls_signed.yml Co-authored-by: wiktor2200 Signed-off-by: marioqxx <82337956+marioqxx@users.noreply.github.com> --- roles/install_nextcloud/tasks/tls_signed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/install_nextcloud/tasks/tls_signed.yml b/roles/install_nextcloud/tasks/tls_signed.yml index a8ed4eb4..89a6b54d 100644 --- a/roles/install_nextcloud/tasks/tls_signed.yml +++ b/roles/install_nextcloud/tasks/tls_signed.yml @@ -42,7 +42,7 @@ src: "{{ nextcloud_tls_src_chain }}" owner: "{{ nextcloud_websrv_user }}" group: "{{ nextcloud_websrv_group }}" - mode: u=rw,g=r,o=- + mode: 0400 force: false when: - nextcloud_tls_src_chain is defined